Results 1 to 5 of 5
  1. #1
    Join Date
    Jan 2004
    Posts
    45

    Question How to identify the service in one port?

    Hello,

    My server crash many times in the last days. Im found one script (.bs.pl) in /tmp (but my /tmp is noexec). After this, always, same after reboot, im see this using netstat -an:

    udp 0 0 127.0.0.1:32769 127.0.0.1:32769 ESTABLISHED

    How to identify the service (or script) running in this port? Always the script (after reboot) change the port.

    Im ran ps -aux but no see not different.

    Thanks,
    Minotauro.

  2. #2
    Join Date
    Jun 2003
    Location
    World Wide Web
    Posts
    581
    try :
    netstat -lpn
    Also, try to check the results of ps ax

    If there is something wrong with the ps binary, it may not show up in the ps ax output.

    In that case, it would be better to read directly from the /proc directory.

    First, I would suggest you to download and run, chkrootkit from chkrootkit.org

    Vivek Prasannan

  3. #3

    Re: How to identify the service in one port?

    Originally posted by minotauro
    im see this using netstat -an:

    udp 0 0 127.0.0.1:32769 127.0.0.1:32769 ESTABLISHED

    How to identify the service (or script) running in this port? Always the script (after reboot) change the port.

    Im ran ps -aux but no see not different.
    Minotauro.
    netstat -anp (the p option will give you pid#) OR
    lsof |grep IPv4 (give you more info on your port + pid)

    Then once you have the pid or even the name now:

    ps -aux |grep <pid#> (to find out which program is using pid, my guess is its "named" )

    Also:
    "tcpdump -i eth<X> -p udp -n"
    This will give you an idea what is going through your udp and I bet you will find that 32769 port is used for DNS queries as source port from your box. Do "nslookup newdomain.com" and watch the tcpdump run.

    So why 32769? I believe distros like RH changed the starting high-port >1023 to >32769. Search google.

    As suggested above, you can also download helpful programs such as chkrootkit, disconnect your pc from network and run it.

    I would also look into some filesystem integrity checking tools such as Aide, Tripwire that can help you watch any changes in your file system.


    Let me know how you make out.

    cheers

  4. #4
    Join Date
    Jan 2004
    Posts
    45
    Hello visiondream3 and makesecure,

    After i'm ran netstat -anp, i'm see the port is PG SQL:

    udp 0 0 127.0.0.1:32769 127.0.0.1:32769 ESTABLISHED 4189/postmaster

    Thanks by reply!

    Regards,
    Minotauro.

  5. #5
    Join Date
    Jan 2004
    Location
    Greece
    Posts
    2,123
    noexec prevents someone to do:
    cd tmp
    ./bs.pl

    But he can do:
    perl /tmp/bs.pl

    So noexec /tmp not really helps.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •